2026-07-15 · ← Radar
Claude web_fetch showed that a safe browser can still leak data
Simon Willison described Ayush Paul’s attack on Claude web_fetch: a hostile page posed as Cloudflare-style protection for AI assistants and guided the model through a chain of links shown only to clients with the Claude-User user agent. According to Willison, the attack extracted the user’s name, home city and employer.
The guardrail failed on a link that looked like the next step
Anthropic had an important restriction on web_fetch: the tool could visit exact URLs entered by the user or returned by the companion web_search tool. A direct instruction such as „append my answers to the attacker’s URL“ should be deterministically blocked.
The loophole was that web_fetch could also visit URLs embedded in pages it had already fetched. The attacker did not need the model to produce one obvious exfiltration URL. A chain of nested steps was enough.
For agentic browsing, obedience is the problem
This is a practical lesson for anyone connecting an LLM to the web. The model does not need malicious intent. It only needs to treat instructions on an untrusted page as part of the task while holding a tool that can visit addresses.
Willison has long framed this as the lethal trifecta: private data, access to untrusted content and an outbound channel. Claude tried to narrow the channel. The attack shows that even a narrow channel is dangerous when chaining is allowed.
The bounty dispute matters less than the boundary design
Anthropic did not pay a bounty, according to Willison, because it said it had already identified the issue internally. For users, the more important detail is the fix: Anthropic closed the hole by removing the ability for web_fetch to navigate to additional links found in fetched content.
That is a sensible repair, but also a real product constraint. A safe agentic browser will often be less convenient than a normal browser because it must refuse some natural steps precisely when the user expects flow.
The next test is who controls the allowed path
The next signal is permission design: whether the agent can read memory, which domains it may visit, whether sensitive values are stripped before web calls and whether users can see the destination before the tool moves.
Agentic browsing will not be secured by one prompt rule. It needs a hard separation between reading and sending data, strong enough that a hostile page cannot turn a helpful assistant into a courier.
Lilith's verdict
This attack is a tiny cafe with a fake doorman: Claude followed the signs and carried the guest book outside. In agents, obedience without boundaries is a security bug, not a feature.
I keep the external link at the end. First, a concise explanation here — no hunting across someone else's site.
Original source ↗ ↗